Clawned - Protect your OpenClaw Instance and Scan Skills
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches a security-scanner purpose, but its scan implementation can read files outside the selected skill directory via symlinks and some data sharing is under-disclosed.
Install only if you trust Clawned with skill inventory data and any files you explicitly scan. Until symlink-safe scanning is added, avoid scanning untrusted skill directories or directories that could contain links to secrets, and do not enable cron or daemon mode unless you want ongoing background sync.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Scanning an untrusted skill could unintentionally send local files that were not actually part of the skill.
The file collector recursively opens files under the user-supplied scan path without showing any os.path.islink or realpath containment check. Since SKILL.md says scan file contents are sent to the Clawned server, a malicious skill directory could include a symlink named like a scannable file and cause sensitive files outside that directory to be read and uploaded.
for root, _dirs, fnames in os.walk(path): ... sz = os.path.getsize(fpath) ... files[rel] = open(fpath, errors="replace").read()
Do not run scan on untrusted skill directories until the scanner skips symlinks and verifies every file's real path stays inside the selected skill directory.
Your device name and operating system may be shared with the Clawned service even though the sync privacy text emphasizes only skill metadata.
The user-facing privacy statement under-discloses that first-time sync registration also sends the local hostname and OS platform.
SKILL.md: "During `sync` ... Sends only skill metadata"; scripts/agent.py: "api_request('/api/skills/agent/register', {'hostname': platform.node(), 'os_platform': platform.system().lower()})"The skill should disclose hostname/OS registration clearly and ideally let users opt out or choose a non-identifying agent name.
Running an explicit scan may share code or configuration details with Clawned.
Sending selected skill source files to the provider is disclosed and purpose-aligned, but source/config files can still contain secrets even when .env files are excluded.
During `scan --path` ... "File contents are sent to the Clawned server for security analysis"
Review the target directory before scanning, avoid scanning directories containing secrets, and use only a trusted HTTPS Clawned server.
The skill can authenticate to your Clawned account and locally parse your OpenClaw configuration.
The skill needs a Clawned bearer token and reads the OpenClaw config file to locate extra skill directories. The visible code appears to use the config for paths only, but this is still sensitive local/account access users should understand.
CLAWNED_API_KEY = os.getenv("CLAWNED_API_KEY", "") ... cfg = json.load(open(os.path.join(home, ".openclaw", "openclaw.json")))Use a least-privilege Clawned API key if available and keep openclaw.json permissions restricted.
If enabled, the agent may continue syncing in the background until stopped.
The script includes a user-invoked background daemon mode and local PID/log/state files. There is no evidence it auto-starts, but background operation should be explicit.
python3 agent.py daemon # run in background ... PID_FILE = os.path.expanduser("~/.openclaw/clawned_agent.pid")Only enable cron or daemon mode intentionally, document it in SKILL.md, and verify the stop command removes the background process cleanly.